Restrict a client port-forward to 1 port

Joseph Spenner joseph85750 at yahoo.com
Sun Aug 16 03:44:08 EST 2009


--- On Fri, 8/14/09, Adriana Rodean <adrya1984 at gmail.com> wrote:

> >On Thu, Aug 13, 2009 at 22:00, Joseph Spenner<joseph85750 at yahoo.com>
> > wrote:
> > From what I can tell, your goal is to restrict certain
> > REMOTE port forward values.  I do not think it is possible
> > to place restrictions on REMOTE port forwards if port
> > forwarding is enabled in sshd_config.  In the
> > authorized_keys, you can list 'permitopen' options, but this
> > only applies to LOCAL port forwards.
> 
> Yes that's exactly what i want, restrict certain REMOTE
> port forward values.
> If client X has remote port 1037 on the server then client
> Y should be
> forbidden to do remote port-forwarding on port 1037 if
> client X is not
> connected.
> Can't it be restricted somehow with iptables or with some
> Linux commands?
> If ssh can't i'm thinking maybe Linux can...
> I mean restrict only client X (which is behind a certain ip
> address)
> to listen to port 1037 on the server.
> 
> I'm not Linux user, and have minimal knowledge about Linux,
> but maybe
> someone knows...
> 
> Thank you again,
> Adriana
> 

Another option could be to create a type of 'portmon' script (port monitor).  It could run via root cron, and be looking for user port forwards.  Here's an example of what it would see on the sshd (remote) server:

root at slack182:~# lsof -ni |grep user42
sshd    2565 user42    7u  IPv4 146804       TCP 127.0.0.1:12345 (LISTEN)

This means user42 has a REMOTE port forward built on port 12345 (notice, it is bound to 127.0.0.1 as remote port forwards always are).
Your script could look for such processes, and if unauthorized ports are present kill the PID(s) associated with them (in this case 2565).




      


More information about the openssh-unix-dev mailing list